Securing a Statically Hosted Website on AWS

Securing a statically hosted website on AWS (like one served through Amazon S3 + CloudFront) involves several layers of security controls. Here's a comprehensive breakdown and guide:

✅ Common Stack:

S3 for static file hosting
CloudFront as CDN (optional but recommended)
Route 53 for DNS (optional)
ACM (AWS Certificate Manager) for HTTPS

🔐 1. S3 Bucket Security Controls

✅ Enable Bucket Policy Restriction

Go to S3 > [Your Bucket] > Permissions > Block Public Access
Enable:
- Block public ACLs
- Block public bucket policies
- Block new public ACLs and policies

✅ Use Bucket Policy to Allow Only CloudFront Access

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudFrontServicePrincipal",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::ACCOUNT_ID:distribution/DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Or use Origin Access Control (OAC) with CloudFront for secure access.

🔒 2. HTTPS (TLS) with CloudFront + ACM

Request a certificate in ACM (us-east-1)
Attach the cert to your CloudFront distribution
Force HTTPS by setting Viewer Protocol Policy to "Redirect HTTP to HTTPS"

🧾 3. HTTP Security Headers

These can’t be set directly in S3, so use CloudFront Function or Lambda@Edge to inject them:

function handler(event) {
  var response = event.response;
  var headers = response.headers;

  headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubDomains; preload' };
  headers['content-security-policy'] = { value: "default-src 'self';" };
  headers['x-content-type-options'] = { value: 'nosniff' };
  headers['x-frame-options'] = { value: 'DENY' };
  headers['x-xss-protection'] = { value: '1; mode=block' };
  headers['referrer-policy'] = { value: 'no-referrer' };

  return response;
}

🔐 4. CloudFront Controls

✅ Enable Shield Standard (automatically included—helps against DDoS)
✅ Enable WAF (Optional, Extra Layer)
- Use AWS WAF with CloudFront to block IPs, bad bots, common attack patterns (e.g., SQLi, XSS).

🕵️‍♂️ 5. Logging and Monitoring

✅ S3 Access Logs: Enable logging to a dedicated S3 bucket
✅ CloudFront Logs: Enable access logging to S3 and analyze via Athena or QuickSight
✅ AWS CloudTrail: Track API calls across AWS accounts

⚙️ 6. Deployment Practices

Use CI/CD (e.g., GitHub Actions, CodePipeline) to automate deployments securely
Ensure objects are uploaded with proper MIME types (e.g., text/html, application/javascript)

🧼 7. Cache Invalidation

Secure cache invalidation with:

aws cloudfront create-invalidation --distribution-id DIST_ID --paths "/*"

Summary Checklist ✅

Control	Applied?
S3 public access blocked	✅
HTTPS enforced via CloudFront	✅
ACM TLS cert configured	✅
HTTP security headers via Lambda@Edge	✅
CloudFront WAF rules (optional)	✅/🔲
Access logs on S3 and CloudFront	✅
CI/CD secure deployment pipeline	✅/🔲
CloudTrail enabled	✅

Implementation can vary..